Tim Callahan, SVP, Global Security and Global Chief Security Officer (CISO), Aflac
Forming a global security infrastructure is never a one-size-fits-all approach, but proven methods can help.
Aflac implemented a global security organization under its general counsel to ensure global view and reach. This decision was influenced by a yearlong study conducted by a cross-functional committee of senior officers who interviewed executives from companies with similar information protection needs, regulatory requirements, and either a global or multi-country presence.
The study concluded that there isn’t a standard organizational structure across the industry, and each organization had varying reasons for their structure. Key lessons included:
1. There were no cases where there was a global CISO (GCISO) without some pre-existing global (operational) management structure. The proper role of security is supporting the company’s business purpose.
2. In every case where there was a GCISO, there was also a global information security committee in some form. The broader the composition of the committee functionally, the more valuable the committee in governance.
3. We didn’t find any company where there was a GCISO who thought they had fully solved the problem that led to the global role. Most interviewed believed their organization’s actions had not fully addressed original concerns and, as a result, were in a continual state of adjustment.
4. In several cases the company renamed the position to a global chief security officer (GCSO) and included oversight and responsibility for continuity and physical security. GCISOs all had responsibility for technology disaster recovery at a minimum. Responsibility for continuity and physical security involved setting policy, standards, minimum objectives, monitoring, measuring effectiveness through metrics and reporting.
5. The GCISO in cases maintained direct security operations center (SOC) oversight and incident response and management responsibility (AKA, a global cyber emergency response team). In most cases, a SOC was established at the highest level as either a centralized SOC or a “root” SOC over one or more regional SOCs.
6. Vital security functions, such as threat and vulnerability management, were at a minimum monitored at the GCISO level. In all cases, the security function specified the vulnerability remediation program and requirements to include how quickly remediation must take place. In the (perceived) most effective program, a third-party service (reporting to the CISO) conducted vulnerability management scanning and provided the results to the appropriate technology function for remediation.
Formed on these lessons, the principles below define enduring truth statements that drive decisions through adherence. As the solution is sought, if one ensures that a principle isn’t violated, there is a good chance an effective organization can be established that meets governance requirements.
1. Information security must be a collaborative program with cross-functional participation.
2. An information security program must protect and further company business objectives.
3. Information security is a support function and must be organized in a manner consistent with the character, culture and organizational philosophy of the company.
4. There must be a qualified accountable officer with sufficient responsibility and authority to lead an information security program; there should be a single responsible officer.
5. The information security program must be organized to provide appropriate segregation of duties and the ability to act independent of technology production entities.
6. Within legal and regulatory constraints, information security controls are business risk decisions and must follow a risk/cost/benefit decision model.
7. Information security policy must emanate from the board of directors and be approved by senior leadership with cross-functional coordination.
8. The information security function, regardless of organizational model, must have sufficient independent control over information security processes. Where information security doesn’t have direct control, the company must have independent, systemic monitoring.
9. Qualified security personnel must be assigned to specify, control, monitor and operate security technology configured out of line with production networks.
10. Qualified security personnel must be assigned to specify, control, monitor and have functional approval, but not operate, security technology configured in line with production systems. Systemic (if possible) and process controls must exist to verify implementation of technology consistent with the security function’s specifications.
11. Clear responsibilities and accountability must be decided, agreed upon and enforced so there is no confusion in program execution and in a cyber incident response.
Global governance structure steps can be taken as broad agreement is achieved, rather than waiting for the perfect answer. Including membership from the lines of business is critical to ensure decisions don’t have an undue business burden.
Optimal organization at the corporate level may well be a global chief security officer with responsibility for information security, cybersecurity, continuity, physical security and recovery aspects. The GCSO must have sufficient staff to execute an effective global program, minimally including:
1. IT compliance and risk management: Responsible for coordinating technology-specific compliance, conducting risk assessments of technology and service providers, tracking security approvals including exceptions, coordinating regulatory exams and audits with appropriate company entities, and overseeing IT controls
2. Security engineering and architecture: Works with the technical teams to specify security standards, configurations and technology. Further assists project and implementation teams in meeting the security standards, integration and engineering security solutions when required.
3. Security operations and threat management: Operates the global SOC, conducts threat intelligence, supervises the vulnerability detection and management function, and specifies controls over logical access at all levels. Actual manual access grants may be executed locally but must be on platforms and under criteria established by this group, which monitors and, in some cases, operates security technology where common controls are administered.
4. Security program and strategy: Sets up systemic measures and metrics, nominates the overall security strategy and documents subcomponents of the strategy. The measures would inform the status reporting to the global risk committee, executive leadership and the board of directors.
5. Continuity, resiliency and recovery: Defines strategy, sets policy, standards and requirements to plan for, protect and recover corporate assets in a broad array of scenarios.
6. Protection: Involves the physical protection of essential company assets.
Although the above are high-level statements, it requires detailed specification. The most prudent path to achieving the optimal organization is:
1. Form the global information security committee (GISC).
2. Agree on the membership of the GISC—minimum recommended voting members.
a. CSO as chair and responsible for board and executive level reporting. Chief information officer (CIO)—regional.
b. CIO/chief technology officer—global and/or regional.
c. General Counsel.
d. Legal counsel—regional.
e. Chief communications officer–global or regional
f. Chief compliance officer—global or regional
g. Global operations risk
h. Audit—as observer/advisor
i. Administrative and support members as needed
3. Task the GISC with defining the GCSO roles and responsibilities and developing a RACI (responsible, accountable, consulted and informed) model to accompany the recommendations.
4. Socialize the organization, when defined, with all company executives.
5. Gain approval and support at the board of directors’ level.
This approach provides the time to properly plan, socialize and coordinate, with opportunities to watch the emerging regulatory and criminal threat climate and fine-tune as various aspects are learned and new sources of opposition are uncovered. By deliberately defining requirements tuned to the culture, character and nature of your business, establishing guiding principles, forming a strong cross-functional governance body and forming the organization consistent with the above, you can achieve a highly effective global governance organization.